add gencert.sh script to generate tls certificates,
add some comments to setup.sh
This commit is contained in:
parent
8f0a9892eb
commit
e5a33da6c6
81
gencert.sh
Executable file
81
gencert.sh
Executable file
@ -0,0 +1,81 @@
|
||||
#!/bin/bash
|
||||
|
||||
# https://documentation.ubuntu.com/server/how-to/openldap/ldap-and-tls/
|
||||
# requries gnutls-bin ssl-cert
|
||||
# only for ubuntu and you should probably double check the script before running
|
||||
|
||||
ORG=''
|
||||
CN=''
|
||||
|
||||
# Define directories and filenames
|
||||
CA_DIR="/etc/ssl"
|
||||
CA_INFO="${CA_DIR}/ldap-ca.info"
|
||||
CA_KEY="${CA_DIR}/private/ldap-ca-key.pem"
|
||||
CA_CERT_TEMP="/usr/local/share/ca-certificates/ldap-ca-cert.crt"
|
||||
CA_CERT="${CA_DIR}/certs/ldap-ca-cert.pem"
|
||||
SERVER_INFO="${CA_DIR}/ldap-server.info"
|
||||
LDAP_DIR="/etc/ldap"
|
||||
SERVER_KEY="${LDAP_DIR}/ldap-server-key.pem"
|
||||
SERVER_CERT="${LDAP_DIR}/ldap-server-cert.pem"
|
||||
|
||||
# read in organization and host cn (FQDN)
|
||||
read -p "Organization: " ORG
|
||||
read -p "CA CN (FQDN): " CN
|
||||
|
||||
# write CA tempalte info
|
||||
cat > $CA_INFO <<EOF
|
||||
cn = ${ORG}
|
||||
ca
|
||||
cert_signing_key
|
||||
expiration_days = 3652
|
||||
EOF
|
||||
|
||||
# write Server template info
|
||||
cat > $SERVER_INFO << EOF
|
||||
organization = ${ORG}
|
||||
cn = ${CN}
|
||||
tls_www_server
|
||||
encryption_key
|
||||
signing_key
|
||||
expiration_days = 3652
|
||||
EOF
|
||||
|
||||
# generate CA private key
|
||||
certtool --generate-privkey \
|
||||
--bits 4096 \
|
||||
--outfile $CA_KEY
|
||||
|
||||
# generate CA certificate
|
||||
certtool --generate-self-signed \
|
||||
--load-privkey $CA_KEY \
|
||||
--template $CA_INFO \
|
||||
--outfile $CA_CERT_TEMP
|
||||
|
||||
# update CA certificates
|
||||
update-ca-certificates
|
||||
|
||||
# generate server private key
|
||||
certtool --generate-privkey \
|
||||
--bits 4096 \
|
||||
--outfile $SERVER_KEY
|
||||
|
||||
# generate server certificate and sign certificate using CA
|
||||
certtool --generate-certificate \
|
||||
--load-privkey $SERVER_KEY \
|
||||
--load-ca-certificate $CA_CERT \
|
||||
--load-ca-privkey $CA_KEY \
|
||||
--template $SERVER_INFO \
|
||||
--outfile $SERVER_CERT
|
||||
|
||||
# make sure that openldap has access to the server key
|
||||
chgrp openldap $SERVER_KEY
|
||||
chmod 0640 $SERVER_KEY
|
||||
|
||||
# report the relevant files made (this is useful for running setup.sh after)
|
||||
echo "
|
||||
Generated TLS Certificates
|
||||
+==============================+
|
||||
CA Cert: ${CA_CERT}
|
||||
Server Cert: ${SERVER_CERT}
|
||||
Server Key: ${SERVER_KEY}
|
||||
"
|
7
setup.sh
7
setup.sh
@ -18,6 +18,7 @@ DO_TLS=1
|
||||
|
||||
POSITIONAL_ARGS=()
|
||||
|
||||
# parse CLI arguments
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case $1 in
|
||||
--skip-auth)
|
||||
@ -51,8 +52,10 @@ echo "DO AUTH = ${DO_AUTH}"
|
||||
echo "DO TLS = ${DO_TLS}"
|
||||
echo "+===============+"
|
||||
|
||||
# always read in base dn
|
||||
read -p "Base DN: " BASE_DN
|
||||
|
||||
# read in init admin info
|
||||
if [ "$DO_INIT" = 1 ]; then
|
||||
read -p "Admin User ID: " ADMIN_ID
|
||||
read -p "Admin User Email: " ADMIN_EMAIL
|
||||
@ -67,18 +70,21 @@ if [ "$DO_INIT" = 1 ]; then
|
||||
do echo "Passwords must match" ; done
|
||||
fi
|
||||
|
||||
# read in infor for tls config
|
||||
if [ "$DO_TLS" = 1 ]; then
|
||||
read -p "CA Cert File Path: " CA_FILE
|
||||
read -p "Server Cert File Path: " CERT_FILE
|
||||
read -p "Server Key File Path: " KEY_FILE
|
||||
fi
|
||||
|
||||
# execute modify auth
|
||||
if [ "$DO_AUTH" = 1 ]; then
|
||||
envsubst '$BASE_DN' < auth.template.ldif > auth.ldif
|
||||
sudo ldapmodify -H ldapi:/// -Y EXTERNAL -f auth.ldif
|
||||
rm auth.ldif
|
||||
fi
|
||||
|
||||
# execute add init, which cannot be done on an already initialized system
|
||||
if [ "$DO_INIT" = 1 ]; then
|
||||
envsubst '$BASE_DN' < pass.template.ldif > pass.ldif
|
||||
envsubst '$BASE_DN:$ADMIN_ID:$ADMIN_EMAIL:$ADMIN_CN:$ADMIN_SN:$ADMIN_PASSWD' < init.template.ldif > init.ldif
|
||||
@ -87,6 +93,7 @@ if [ "$DO_INIT" = 1 ]; then
|
||||
rm pass.ldif init.ldif
|
||||
fi
|
||||
|
||||
# execute modify tls
|
||||
if [ "$DO_TLS" = 1 ]; then
|
||||
envsubst '$CA_FILE:$CERT_FILE:$KEY_FILE' < tls.template.ldif > tls.ldif
|
||||
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
|
||||
|
Loading…
Reference in New Issue
Block a user